Submit a ticketCall us
Home > Success Center > Kiwi Syslog Server > Kiwi Sys - Knowledgebase Articles > Kiwi Syslog Server Delay in Syslog Message Processing

Kiwi Syslog Server Delay in Syslog Message Processing

Updated March 11th, 2016

Overview

This article provides a checklist of items to check for when Kiwi Syslog Server is not keeping up with syslog message processing and is delayed by several minutes or hours.

Environment

  • All versions of Kiwi Syslog Server
  • All versions of Windows

Cause 

The typical causes are either:

  • An Action is causing a bottleneck, or
  • Kiwi Syslog Server cannot process the syslog messages through the Rule engine at the speed that they are arriving.

Resolution

  1. Check for the following bottlenecks:
    • Log to File Action configured to log to a network path: Writing current log information to a Network Path will seriously slow down the amount of syslog messages Kiwi Syslog Server can handle per second (approximately 100-300 messages per second, depending on the network).  
      • It is best to configure a Log to File Action to log to a local path and then configure an Archive Schedule to move older logs to a network path at regular intervals.
    • Forwarder to another host with Spoofing enabled: As Spoofing requires that the syslog packet be deconstructed and rebuilt, it can be resource intensive. As such, Spoofing can only handle a certain amount of syslog messages per second (approximately 100 messages per second).
  2. Check the volume of incoming syslog messages against the amount of Rules, Filters and Actions you have: Generally Kiwi Syslog Server can comfortably handle 2 million messages per hour (approximately 600-800 messages per second) with the default Rules. The amount of syslog messages that can be processed per second will inevitably decrease when additional Rules, Filters and Actions are added.  To verify this:
    1. Scroll down to the Message Buffer Information section and note the following values:
      • Message Count
      • Message Count Max
    2. Click Manage > Debug options > Get Diagnostic information.
    3. Open the Kiwi Syslog Server Manager.

 

Note: Generally if Message Count Max is larger than Message Count and it continues to grow, it is an indication that the syslog messages cannot be processed as fast as they are arriving. To address this, split up the load to a second Kiwi Syslog Server installation.

 

Last modified

Tags

Classifications

Public